Ensure that otel-collector and otel-agent run as sourcegraph user (#543)

willdollman · web-flow · commit 788d32f502a2 · 2024-08-28T18:31:03.000+01:00
* Ensure that otel-collector and otel-agent run as sourcegraph user

* Update changelog

* Include securityContext in otel deployment + daemonset

* Run helm-docs.sh
diff --git a/charts/sourcegraph/CHANGELOG.md b/charts/sourcegraph/CHANGELOG.md
@@ -8,6 +8,8 @@ Use `**BREAKING**:` to denote a breaking change
 
 ## Unreleased
 
+- Updated OpenTelemetry collector and agent images to run as non-root users [#543](https://github.com/sourcegraph/deploy-sourcegraph-helm/pull/543)
+
 ## 5.6.185
 
 - Sourcegraph 5.6.185 is now available
diff --git a/charts/sourcegraph/README.md b/charts/sourcegraph/README.md
@@ -194,6 +194,9 @@ In addition to the documented values, all services also support the following va
 | nodeExporter.resources | object | `{"limits":{"cpu":"1","memory":"1Gi"},"requests":{"cpu":".2","memory":"100Mi"}}` | Resource requests & limits for the `node-exporter` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 | nodeExporter.serviceAccount.create | bool | `false` | Enable creation of ServiceAccount for `node-exporter` |
 | nodeExporter.serviceAccount.name | string | `"node-exporter"` | Name of the ServiceAccount to be created or an existing ServiceAccount |
+| openTelemetry.agent.containerSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
+| openTelemetry.agent.containerSecurityContext.runAsGroup | int | `101` |  |
+| openTelemetry.agent.containerSecurityContext.runAsUser | int | `100` |  |
 | openTelemetry.agent.hostPorts | object | `{"otlpGrpc":4317,"otlpHttp":4318,"zpages":55679}` | Resource requests & limits for the `otel-agent` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 | openTelemetry.agent.name | string | `"otel-agent"` | Name used by resources. Does not affect service names or PVCs. |
 | openTelemetry.agent.resources.limits.cpu | string | `"500m"` |  |
@@ -206,6 +209,9 @@ In addition to the documented values, all services also support the following va
 | openTelemetry.gateway.config.traces.exporters | object | `{}` | Define where traces should be exported to. Read how to configure different backends in the [OpenTelemetry documentation](https://opentelemetry.io/docs/collector/configuration/#exporters) |
 | openTelemetry.gateway.config.traces.exportersTlsSecretName | string | `""` | Define the name of a preexisting secret containing TLS certificates for exporters, which will be mounted under "/tls". Read more about TLS configuration of exporters in the [OpenTelemetry Collector documentation](https://github.com/open-telemetry/opentelemetry-collector/blob/main/config/configtls/README.md) |
 | openTelemetry.gateway.config.traces.processors | object | `{}` | Define trace processors. Read how to configure sampling in the [OpenTelemetry documentation](https://docs.sourcegraph.com/admin/observability/opentelemetry#sampling-traces) |
+| openTelemetry.gateway.containerSecurityContext.allowPrivilegeEscalation | bool | `false` |  |
+| openTelemetry.gateway.containerSecurityContext.runAsGroup | int | `101` |  |
+| openTelemetry.gateway.containerSecurityContext.runAsUser | int | `100` |  |
 | openTelemetry.gateway.name | string | `"otel-collector"` | Name used by resources. Does not affect service names or PVCs. |
 | openTelemetry.gateway.resources | object | `{"limits":{"cpu":"3","memory":"3Gi"},"requests":{"cpu":"1","memory":"1Gi"}}` | Resource requests & limits for the `otel-collector` container, learn more from the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) |
 | openTelemetry.gateway.serviceAccount.create | bool | `false` | Enable creation of ServiceAccount for `otel-collector` |
diff --git a/charts/sourcegraph/templates/otel-collector/otel-agent.DaemonSet.yaml b/charts/sourcegraph/templates/otel-collector/otel-agent.DaemonSet.yaml
@@ -58,6 +58,8 @@ spec:
         {{- end }}
         resources:
           {{- toYaml .Values.openTelemetry.agent.resources | nindent 10 }}
+        securityContext:
+          {{- toYaml .Values.openTelemetry.agent.containerSecurityContext | nindent 10 }}
         readinessProbe:
           httpGet:
             path: /
diff --git a/charts/sourcegraph/templates/otel-collector/otel-collector.Deployment.yaml b/charts/sourcegraph/templates/otel-collector/otel-collector.Deployment.yaml
@@ -74,6 +74,8 @@ spec:
         {{- end }}
         resources:
           {{- toYaml .Values.openTelemetry.gateway.resources | nindent 10 }}
+        securityContext:
+          {{- toYaml .Values.openTelemetry.gateway.containerSecurityContext | nindent 10 }}
         readinessProbe:
           httpGet:
             path: /
diff --git a/charts/sourcegraph/values.yaml b/charts/sourcegraph/values.yaml
@@ -645,6 +645,10 @@ openTelemetry:
       create: false
       # -- Name of the ServiceAccount to be created or an existing ServiceAccount
       name: ""
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      runAsUser: 100
+      runAsGroup: 101
 
   agent:
     # -- Name used by resources. Does not affect service names or PVCs.
@@ -667,6 +671,10 @@ openTelemetry:
       create: false
       # -- Name of the ServiceAccount to be created or an existing ServiceAccount
       name: ""
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      runAsUser: 100
+      runAsGroup: 101
 
 nodeExporter:
   # -- Enable `node-exporter`
